Alexander Pope is given credit for the title quote but undoubtedly had never heard of a computer data breach when he put those four simple words together. In reality, a vast majority of data breaches are the result of human error in one form or fashion. However, there are 'errors' (little e) and there are ‘Errors’ (big E). I have watched over the past several years as variations on the following ‘Error scenario’ have played out time and time again in the trade press:
“I’m going to download all of our corporate staff and customer’s personally identifiable information to my laptop so I can work with it at home tonight. There’s no need to encrypt it because I’ll delete it all tomorrow. On the way home I need to stop to get enough caffeine and snacks to support my all-night data review. There’s no need to roll up the windows or lock the car as I’ll only be in the coffee shop a minute and no one will even notice the laptop sitting there in the passenger seat.”
To quote a somewhat less historically relevant and more modern phrase, “Seriously???”!
In tribute to All Hallow’s Eve when our neighborhoods will be filled with a variety of ghosts, goblins and costumes of every description looking for their annual treats, I present a list of data breach tricks that have been played on the public over the last year. This list only contains breaches that were a result of human Error as opposed to a system failure or an active hacking effort. They aren’t listed in any particular order (i.e., sorted by largest number of records or by the amount of time the data was available) and include both public and private organizations. As with any ‘top 10’ list I’m sure I’ve overlooked some really good ones. I look forward to your comments with suggested additions. (Information below was gathered from a variety of sources including http://www.privacyrights.org/data-breach and http://www.databreachwatch.org/data-breach-alerts/ )
• Indiana University School of Medicine - A laptop with sensitive information was stolen from a physician's car. It contained 3,192 patient’s information such as name, age, sex, diagnosis, medical record number, and in 178 cases, Social Security numbers.
• Stanford University Hospital and Clinics – A spreadsheet of names, account numbers, admission and discharge dates, billing charges and diagnosis codes of about 20,000 emergency room patients were posted on a commercial website for nearly a year. The spreadsheet was posted in relation to a question about how to convert the data into a bar graph.
• Yale University - A computer file containing the names and Social Security numbers of approximately 43,000 former faculty, staff, and students was accidentally made accessible online for 10 months.
• Belmont Savings Bank (BSB) - A bank employee left a backup tape on a desk rather than storing it. A cleaning crew disposed of the tape later that night. Names, Social Security numbers and account numbers of over 13,000 customers were exposed. The tape was believed to have been incinerated after disposal along with other sensitive materials from BSB.
• Kitchen Place - Items at a bankruptcy auction included two cabinets with past customer credit card and bank account numbers, methods of payment and home floor plans. Shelves for sale carried boxes of employee information which included names, Social Security numbers and other personal and payroll information. At least one person purchased an item that held customer information and subsequently dumped the papers in the parking lot.
• Sutter Gould Medical Foundation (SGMF) - Around 1,200 patient records were misplaced and buried in a landfill. The box of records contained patient names, Social Security numbers, addresses, diagnostic test results, provider notes and correspondence, disability forms and insurance information. An unnamed vendor is responsible for displacing the box.
• RxAmerica and Accendo Insurance Company - A formatting mistake made Medicare Part D beneficiaries enrolled in Prescription Drug Plans names, ID numbers, drug names and dates of birth viewable through the envelope window of letters sent. Current and former Molina Medicare, Healthy Advantage HMO SNP, and ChoicePartners Medicare HMO members were also affected for a total of 175,000 records.
• Ohio Auditor of State - A state-owned laptop was stolen from the home of a regional auditor. Financial audits of public offices in northwest Ohio were on the laptop. The employee was suspended for 15 days because a password to open the password-protected information on the computer was attached to the computer. This was in violation of office policy.
• U.S. District Court for the Middle District of Alabama - U.S. District Court personnel mistakenly believed that sealed records could be made available on a web-based records system called PACER. Nearly a million defense lawyers, prosecutors, journalists, private investigators, government officials and researchers could have accessed about 40 sealed records for as long as nine months. The records were sealed court applications filed by 10 separate federal prosecutors. Information in the records included installing hidden surveillance cameras, examining Facebook records, obtaining credit information, procuring telephone records and tracking calls. Specific names, addresses, and phone numbers were exposed.
• Science Applications International Corp (SAIC) - Backup tapes stolen from a car contained 4.9 million patients' names, phone numbers, Social Security numbers, and medical information.
As you sit reading this with your device of choice in one hand and the other reaching in to your child’s plastic pumpkin of goodies, no doubt your mouth hangs agape at the sheer magnitude of the human Error involved in the above incidents. Try to comprehend that more than 540,613,790 records have been breached from 2,707 incidents made public since 2005… many of those the result of simple human Error.
That sound you hear is Alexander Pope turning over in his grave.